Another month goes by, another set of new features or improvements we are making. For this month, we have

Improving the "Select the Vulnerability Category" challenges

Assessment improvements by enabling assessment CSV downloads

More details on these can be found here below.

Select the "Vulnerability Category" improvements

We have received a lot of feedback from developers on the the "select the vulnerability category" challenges in the platform. Developers found that it was challenging to choose from the long list of vulnerability categories and struggled with identifying the correct terminology for the vulnerability.

To address this, we have changed the structure of the question. Instead of a long list of vulnerability terms to choose from, the developer will be give 4 to 6 options only to choose the correct answer from. This should remove any ambiguity (is this a CSRF problem? Or session management problem? or both?) and make the challenges better to learn about the taxonomy of security vulnerabilities.

Company Administrators can now assign customer Tags to individual developers. Examples could be:
- Country where the developer is located
- Business Unit where the developer resides
- Seniority with the developer group
etc.

These tags can be used later as reporting filters. We're modifying the CSV downloads to include these custom tags.

Tags are assigned to an individual

Assessment Module - Download results of CSV

We have added a download to CSV function into the platform which allows managers to download the results of all developers for a particular assessments. This will allow managers to carry out further analysis of these results.

To download the results of an assessment for all developers, click into the assessment and click on "Download CSV"

Thursday, August 4, 2016

Secure Code Warrior has
signed a A$1 million three-year deal with a major Australian Big Four bank to
to strengthen the skills of 4000 software developers in secure coding.

Secure Code Warrior will under the arrangement supply
demonstrated innovative hands-on training exercises to the bank that will teach
developers not only to find vulnerabilities but to identify patches for the
respective flaws.

Courses are modelled through a gamification model where points are
awarded to participants for selecting correct answers. Tournament mode is the
pinnacle of this in which developers compete for the title of most secure
coder.

The spend on secure coding by a major Australian tech
heavyweight heralds what may be a broader push towards secure developer
training across the financial and tech industries.

"Ensuring that application code is written more securely
in the first place can significantly reduce the effort to identify and
remediate vulnerabilities once applications have been deployed," Secure
Code Warrior co-founder Pieter Danhieux says.

"Too often secure code training consists of classroom
style sessions which do not scale, fail to engage developers though abstract
concepts resulting in low knowledge retention rates, and lack the educational
material to show how to remediate vulnerabilities."

This is especially evident in the consistent gold and silver
medals awarded each year by The Open Web Application Security Project (OWASP)
to SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities under
the top ten web application vulnerabilities project which describes the world's
worst web flaws.

These flaws are basic, yet as prevalent as they are
perennial.In the last year SQLi was
responsible for the mega breaches at Ashley-Madison, Mossack-Fonseca, and
TalkTalk.

The Australian bank will put its coders through a series of
courses that will test their individual ability to write secure code.

Developers will have to identify a series of vulnerabilities
and -crucially- analyse multiple patch options in order to pass assessments.

This will have the effect of teaching developers to both find
and patch vulnerabilities, a feat that is normally separated into distinct
spheres.

Organisations will also be able to put contracting developers
through a dedicated assessment mode to maintain a minimum skill level.

Pieter says both organisations and developers are
known to focus on features and functions over security.

"This can result in great functional apps built with
code that has both glaring and subtle security holes”, Pieter says.

Security teams are largely isolated and bolted on to the
development process where they serve, if at all, as a drawbridge that lowers
only when teams have accepted or fixed identified vulnerabilities.

"Security must move from a separate team into the
developers themselves, especially when using Agile
methodologies" Pieter says.

"This is demonstrated by the DevSecOps movement
which says that everyone in the development process is responsible for writing
in security, not just an isolated team."

Return on investment is demonstrated through each developer's
skills progression that is viewable within the security training portals.

Managers will be able to observe progress throughout courses
and benchmark those skill sets against an expanding list of industry peers.

Secure Code Warrior
has landed major household customers across Europe and the US, including major
risk-averse financial firms. It counts Sportsbet and Tyro Payments among its
multiple household-name Australian customers.

Secure Code Warrior was nominated at AusCERT for Best
Security Initiative and Cyber Security Excellence Awards.